PandaLabs Blog Everything you need to know about Internet threats

Do you want to know a little bit more about attacks aimed at companies?  We have created this infographic about it:

• Vulnerabilities: Software vulnerabilities will be the main target of cyber-criminals next year. It is undoubtedly the preferred method of infection for compromising systems transparently, used by both cyber-criminals and intelligence agencies in countries around the world. In 2012, we saw how Java, which is installed on hundreds of millions of devices, was repeatedly compromised and used to actively infect millions of users. In second place is Adobe, as given the popularity of its applications (Acrobat Reader, Flash, etc.) and its multiple security flaws, it is one of the favorite tools for massively infecting users as well as for targeted attacks.

  Although we may think that home users are exposed to the highest risk, remember that updating applications, which is essential for protecting against these types of attacks, is a very complex process in companies, where updating all computers must be coordinated. At the same time, it is essential to ensure that all the applications used in a company work correctly. This makes the update processes slow, which opens a window that is exploited to steal information in general and launch targeted attacks in search of confidential data.

• Social networks: The second most widely used technique is social engineering. Tricking users into collaborating to infect their computers and steal their data is an easy task, as there are no security applications to protect users from themselves. In this context, use of social networks (Facebook, Twitter, etc.), places where hundreds of millions of users exchange information, on many occasions personal data, makes them the preferred hunting ground for tricking users.

  Particular attention should be paid to Skype, which after replacing Messenger, could become a target for cyber-criminals.

• Malware for mobile devices: Android has become the dominant mobile operating system. In September 2012, Google announced that it had reached the incredible figure of 700 million Android activations. Although it is mainly used on smartphones and tablets, its flexibility and the fact that you do not have to buy a license to use it are going to result in new devices opting to use Google’s operating system. Its use is going to become increasingly widespread, from televisions to all types of home appliances, which opens up a world of possible attacks as yet unknown.

• Cyber-warfare / Cyber-espionage: Throughout 2012, different types of attacks have been launched against nations. The Middle East is worth mentioning, where the conflict is also present in cyber-space. In fact, many of these attacks are not even carried out by national governments but by citizens, who feel that they should defend their nation by attacking their neighbors using any means available.

  Furthermore, the governments of the world’s leading nations are creating cyber commandos to prepare both defense and attack and therefore, the cyber-arms race will escalate.

• Growth of malware: For two decades, the amount of malware has been growing dramatically. The figures are stratospheric, with tens of thousands of new malware strains appearing every day and therefore, this sustained growth seems very far from coming to an end.

  Despite security forces being better prepared to combat this type of crime, they are still handicapped by the absence of borders on the internet. A police force can only act within its jurisdiction, whereas a cyber-crook can launch an attack from country A, steal data from citizens of country B, send the stolen data to a server situated in country C and could be living in country D. This can be done in just a few clicks, whereas coordinated action of security forces across various countries could take months. For this reason, cyber-criminals are still living their own golden era.

• Malware for Mac: Cases like Flashback, which occurred in 2012, have demonstrated that not only is Mac susceptible to malware attacks but that there are also massive infections affecting hundreds of thousands of users. Although the number of malware strains for Mac is still relatively low compared to malware for PCs, we expect it to continue rising. A growing number of users added to security flaws and lack of user awareness (due to over-confidence),mean that the attraction of this platform for cyber-crooks will continue to increase next year.

• Windows 8: Last but not least, Windows 8. Microsoft’s latest operating system, along with all of its predecessors, will also suffer attacks. Cyber-criminals are not going to focus on this operating system only but they will also make sure that their creations work equally well on Windows XP to Windows 8, through Windows 7.

  One of the attractions of Microsoft’s new operating system is that it runs on PCs, as well as on tablets and smartphones. For this reason, if functional malware strains that allow information to be stolen regardless of the type of device used are developed, we could see a specific development of malware for Windows 8 that could take attacks to a new level.

We have detected a new Twitter spam campaign that may compromise user security. Users receive a direct message on Twitter, which contains the text “Check out Obama punch a guy in the face for calling him a nigger”, and a malicious link to a fake Facebook page.

If you click the link, you will be taken to a bogus Facebook page where you are prompted to submit your Twitter login details. However, if you enter your credentials, the malware will hijack your account in order to send the same malicious message to all of your followers.

Then, you will be taken to a website that displays a fake YouTube video set against a fake Facebook background. This time, you will be asked to update a ‘YouTube player’ to watch the video. As is usual in this type of scam, if you click on the ‘Install’ button, you will find yourself downloading the Koobface.LP worm, which will infect your computer and steal all of your personal data.

This attack exploits the two most popular social networking sites, Facebook and Twitter, to trick users into believing they are viewing a trusted site.  It also relies on its victims’ curiosity by using a scandalous story involving U.S. President Barack Obama and racism. Cyber-criminals know people are curious by nature and take advantage of this to trick users and infect them with their creations.

Twitter Direct Messages, Yet Another Technique to Spread Malware Infections

This is just the latest example of a cyber-scam that uses Twitter direct messages to spread. Users’ accounts receive dozens of them every day, with malicious links and enticing messages like: “What exactly do you think you’re doing on this video clip”, “Hello this guy is saying bad rumors about u…”, “Did you see this pic of you?”, etc., etc.

Never, ever, click the links within the text of those messages as they could infect your computer.  Every time you receive a direct message you should check with the sender that they have knowingly sent it to you. Make sure it has not been automatically forwarded to you from a hacked account. As a general rule, always keep your antivirus software up to date and be wary of messages offering sensational videos or unusual stories as, in 99 percent of cases they are designed to compromise user security.

Do you want to know a little bit more about Cyber-Crime?  We have created this infographic about it:

Do you want to know a little bit more about Trojan Horses?  We have created this infographic about them:

Since Saturday, there’s a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).

Someone who’s infected with this worm will send you the following message:

The link refers to goo.gl and is actually Google’s URL Shortener service. You’ll land on Hotfile.com, which is a legitimate file sharing website. (it’s not the first time Hotfile has been used to spread malware, read more here)

Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we’ll find the following file, which is covered as a Skype setup file:

When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:

This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:

74.208.112.178
87.106.98.157
199.15.234.7
213.165.71.142
213.165.71.153
217.160.108.147

Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive -skype_05102012_image.exe looks for the following processes:
msnmsgr.exe
msmsgs.exe
skype.exe

It will then automatically send a message, based on the OS language. It uses the following list to spread:
tas ir jusu jauna profila bildes?
seo do grianghraf prl nua?
ont uusi profiilikuva?
nai aft a fotografa profl sas?
sa kvo profili lusankary aquesta
s la teva nova foto de perfil?
hey ito sa iyong larawan sa profile?
hey lanh tieu cua ban?
hey ini foto profil?
hei zhni de gn zilio zhopin ma?
ni phaph porfil khxng khun?
hej er det din nye profil billede?
hej je to vasa nova slika profila?
hej je to tvuj nov obr zek profilu?
hei er dette din nye profil bilde?
hey la tua immagine del profilo nuovo?
hej to jest twj nowy obraz profil?
hej jeli ovo vasa nova profil skila?
hey bu yeni profil pic?
hej detta är din nya profilbild?
tung, cka paske lyp ti nket fotografi?
moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
hey is dit je nieuwe profielfoto?
ez az j profil ksta tu foto de perfil nuevo?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey c’est votre nouvelle photo de profil?
hoi schoni fotis hesch du uf dim profil ppe n
lol is this your new profile pic?

It will then add the link and subsequently adds your username after the equals ‘=’ sign :
http://goo.gl/QYV5H?img=

The malware is identified by Panda as W32/SpySkype.G.worm and spreads via removable drives, instant messaging programs, and social networks. Some variants could get user names and passwords, and block websites related to security updates.  It may also launch a limited denial of service (DoS) attack.

On our test machines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it’s ransomware, rogueware….

Conclusion

Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
“Do I really have (embarassing) pictures of myself on this website? Better take a look!”

No, no, no!

Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.co, bit.ly,tinyurl, etc.)
Don’t be fooled by known icons or “legit” file descriptions, this can easily be altered.

Even if you clicked the link and you’re not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

Keep your antivirus always updated.  Here you will find a free 6-month trial of Panda Cloud Antivirus Pro.

I would like to thank our colleague Bart Parys http://www.twitter.com/bartblaze, (Panda Security Benelux)

A new Trojan has been discovered –DarkAngle– that steals users’ confirmation information like passwords, banking details, etc. Nothing unusual about this, just one more to add to the more than 73,000 new viruses that appear every day. However, there is something truly special about this new piece of malware…

It tries to pass itself off as our Panda Cloud Antivirus. As you can see in the image, it uses the well-known Panda icon to trick users, who may think they are actually installing our antivirus software. Once run, DarkAngle logs all commands entered by the user and sends them to an external server. In addition, it loads up every time the user reboots the computer, making sure it logs the victim’s data at all times. Furthermore, it uses stealth techniques to bypass antivirus engines.

Panda Cloud Antivirus is one of the best free antivirus programs available, as shown by the millions of users who rely on it to protect their PCs from the cloud. Cyber-criminals know this and try to exploit the software’s popularity to spread their creations. Actually, this is not the first time that they have done something like this, nor will it be the last. For this reason, we’d like to take this opportunity to warn you and advise you that if you want to use Panda Cloud Antivirus, you should download it from its official website www.cloudantivirus.com, or the product’s Facebook page, where you will find a free 6-month trial of Panda Cloud Antivirus Pro.

Just a few days after a critical vulnerability was detected in Java 1.7, we now find a new vulnerability being used in the wild, this time the compromised system is Internet Explorer. Microsoft’s browser has been compromised by a group of cybercriminals, who have discover a security hole and have created several malicious web pages that, by exploiting this breach on the browser, download malware elements into the users’ computers.

The malware that is currently being distributed is part of the already known Poison Ivy Trojan family, and it gets into the computer when the user visits one of the compromised websites when using Internet Explorer as a browser. Without the user’s notice, the Trojan is downloaded silently to his computer, entering through the browser’s security hole. The Trojan is a specialist in taking control of infected computers, which allows the cybercriminal to steal the user’s sensitive information, such as passwords, banking data, etc.

At Panda Security we protect our clients and users against this Trojan, but we are sure that the cybercriminals are already working on new malware programs that exploit this Internet Explorer vulnerability, to compromise new computers. So we encourage the public to be really careful to avoid being infected. In any case, from PandaLabs we  keep on fighting against malware 24 hours, identifying new samples and creating vaccines against them.  In addition, we have our TruPrevent proactive technologies that provide protection against new malware based on their behavior.

Microsoft has already informed about this problem in their blog, and has made available to all users an urgent toolkit which would seal the hole, called Enhanced Mitigation Experience Toolkit (EMET), until they are able to deliver a patch that solves the vulnerability once and for all.

In any case, the easiest solution is to avoid using Internet Explorer until Microsoft solves this vulnerability on its browser, and use Chrome or Firefox.